Auth-Proxy works on https also. When you enable https server, the auth-proxy credentials are sent in tls/ssl tunnel and hence protected.
But I have never tried with custom port for https. With regards Kings On Sun, Jul 24, 2011 at 9:44 PM, Adil Pasha <[email protected]> wrote: > I just tried to make it work on port 4000 which is set for https, but it > fails. > > ip port-map https port tcp 4000 > ! > ip http authentication aaa > ip http secure-server > ip http secure-port 4000 > ! > > The destination server is running on https using port 4000. > > So it seems like IOS auth-proxy will only work for simple http ports and > supporting one port only, am I correct? > > > Best Regards. > ______________________ > Adil > > On Jul 24, 2011, at 10:39 AM, Adil Pasha wrote: > > All clear now, Kingsley. Thank you so much. > > Seems like IOS auth-proxy is just for single http port. So in my production > network if I have to deploy it the server guys should make a decision which > http port they will use to run between the range of 1024 to 65xxx. Also it > is not supported for https either. > > My IOS version is "flash:c2800nm-adventerprisek9-mz.124-24.T.bin". I should > have downgraded it to the lab version but lazy to do that.......;) > > > Best Regards. > ______________________ > Adi > > On Jul 24, 2011, at 2:35 AM, Kingsley Charles wrote: > > Great, what is the image version on R9? Seems IOS proxy on non-80 port is > working on that image. > > And as far I know, IOS http server can listen to a single port at a time. > Hence, I think you can't make auth-proxy work on 80 and 8080 simultaneously. > > > With regards > Kings > > On Sun, Jul 24, 2011 at 10:11 AM, Adil Pasha <[email protected]> wrote: > >> Jim / Kingsley, >> Thank you so much for the suggestions. >> Yes it working now for port redirection. >> >> My topology is Desktop ----> R9 (auth-proxy + port-mapping for http 80 to >> 8080) ------> R2 (http on port 8080 >> >> Now the only thing is that if I initiate a session on >> http://10.12.12.12which is port 80 the connection fails completely. Is there >> a way to setup >> the IOS auth-proxy that either ports 80 or 8080 can work and the traffic >> will go to the destination http server on port 8080? >> >> --------------------------------------------------------- >> Here is the working configuration: >> >> *ACS configuration for the user:* >> >> priv-lvl=15 >> procyacl#1=permit tcp any any eq 8080 <<<<<<< This is the command that >> Kingsley and Jim suggested to use and made the port redirection work. >> >>>>>>>>>> >> >> *R9 auth-proxy configuration:* >> aaa authentication login default group tacacs+ local >> aaa authentication login noAAA none >> aaa authorization auth-proxy default group tacacs+ local >> aaa accounting auth-proxy default >> action-type start-stop >> ! >> ip auth-proxy auth-proxy-banner http ^C >> please enter your username and password >> ^C >> ip auth-proxy name cisco http inactivity-time 60 >> ip admission auth-proxy-banner http ^C >> please enter your username and password >> ^C >> ! >> ip port-map http port tcp 8080 >> ! >> interface GigabitEthernet0/0 >> ip address 10.10.10.9 255.255.255.0 >> ip auth-proxy cisco >> duplex auto >> speed auto >> ! >> ip http port 8080 <<<<<<< This is the command that Kingsley and Jim >> suggested to use and made the port redirection work. >>>>>>>>>> >> ip http server >> ip http access-class 61 >> ip http authentication aaa >> access-list 61 deny any >> ! >> >> *R2 http server configuration:* >> ip http server >> ip http port 8080 >> >> >> >> >> Best Regards. >> ______________________ >> Adil >> >> On Jul 23, 2011, at 10:41 PM, Kingsley Charles wrote: >> >> In your case, R9 intercepts http requests on port 80 while the http >> request for R2 is on 8080, so auth-proxy will not work. >> >> On R9, configure http port for 8080 and then configure PAM entry for 8080. >> >> >> Also in the Auth-Proxy, change the ACE to permit port 8080, if you have an >> restrictive ACL on the interface doing auth-proxy. >> >> proxyacl#1=permit tcp any any eq 8080 >> >> Auth-proxy on port other than 80 might not work. >> >> Try you luck and see,if it's working. >> >> With regards >> Kings >> >> >> > > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
